- \n
- Have a JumpCloud account<\/li>\n\n\n\n
- Deploy agents<\/a> on your server and workstations\n
- \n
- Workstations do not need to be Professional editions of Windows<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Add devices to JumpCloud and bind users to device<\/a><\/li>\n\n\n\n
- Have a local file server\n
- \n
- Ensure that NTLM isn\u2019t disabled<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Know your local user names<\/li>\n\n\n\n
- File access outside of your network will not be possible without a VPN, just as when you use a file server with Active Directory.<\/li>\n<\/ul>\n\n\n\n
In this setup, JumpCloud assumes the role of Active Directory by syncing accounts across devices. IT departments do not require any knowledge of user account passwords for this configuration, because JumpCloud provides the same credentials throughout every server resource. Windows NTLM authentication only requires that the same username and password reside on each file server, which is exactly what JumpCloud\u2019s agent provides. <\/p>\n\n\n\n
Next, JumpCloud pushes local group assignments and rights to each shared folder on the file server. This is made possible by the \u201cCommands\u201d role within Device Management. Every command requires a runner (superuser) and a target of either device group or individual devices. Commands includes a Results tab that will display any error messages.<\/p>\n\n\n\n
PowerShell Commands to Establish Your Shares<\/h3>\n\n\n\n
- \n
- Create a local group<\/a>:<\/li>\n<\/ol>\n\n\n\n
New-LocalGroup -Name “FileShareUsers”<\/code>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/1.1-1.png\")
<\/figure>\n\n\n\nPlease note that this command will not work if the Windows PowerShell checkbox isn\u2019t selected.<\/em><\/p>\n\n\n\n
The result will be a local group created on your file server as seen below in the Computer Management interface.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/2.1-1.png\")
<\/figure>\n\n\n\nThe next step is to add members to the group so that they can collaborate.<\/p>\n\n\n\n
- \n
- Add users to the local group<\/a>: (after the user was created in JumpCloud)<\/li>\n<\/ol>\n\n\n\n
Add-LocalGroupMember -Group \u201cFileShareUsers\u201d -Member “YOURNAME”<\/code>\n\n\n\nThis step will have to be repeated on a per-user basis for the target Windows devices. You may alternatively create multiple lines within the same JumpCloud command by cutting and pasting, changing the user names, and targeting a Device Group to run this step only once.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/3.1-1.png\")
<\/figure>\n\n\n\nPlease note that this command will not work if the Windows PowerShell checkbox isn\u2019t selected.<\/em><\/p>\n\n\n\n
The image below illustrates the result in the Computer Management interface. You\u2019ll notice that the user is now in the local group.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/4.1-1.png\")
<\/figure>\n\n\n\n- \n
- Create a folder<\/a>:<\/li>\n<\/ol>\n\n\n\n
New-Item -Path “C:\\MyFolder” -ItemType Directory<\/code>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/5.2.png\")
<\/figure>\n\n\n\nPlease note that this command will not work if the Windows PowerShell checkbox isn\u2019t selected.<\/em><\/p>\n\n\n\n
There will now be a folder on your C:\/ drive that you\u2019ll designate as a shared directory in the next step.<\/p>\n\n\n\n
- \n
- Create a share for this folder<\/a>: (Note: We chose to use the same FileShareUsers group for this share and to give it FullAccess; the documentation shows how this can be changed.)<\/li>\n<\/ol>\n\n\n\n
New-SmbShare -Name “MyFileShare” -Path “C:\\MyFolder” -FullAccess “FileShareUsers”<\/code>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/6.2.png\")
<\/figure>\n\n\n\nPlease note that this command will not work if the Windows PowerShell checkbox isn\u2019t selected.<\/em><\/p>\n\n\n\n
Windows Advanced Sharing Settings<\/h3>\n\n\n\n
Next, you\u2019re going to enable sharing for \u2018MyFolder\u2019. Right click the folder and select Advanced Sharing and add the group \u201cFileShareUsers\u201d to the folder with the appropriate permissions.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/7.2.png\")
<\/figure>\n\n\n\nThe local user group provides read-only access to the file share.<\/em><\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/8.2.png\")
<\/figure>\n\n\n\nThis is an example of what the shared folder will look like on other devices.<\/em><\/p>\n\n\n\n
Your network file share is now established and can be accessed from other PCs within your organization that have the JumpCloud agent installed and drive mapped for sharing. However, we strongly advise optimizing your security before this workflow goes into production.<\/p>\n\n\n\n
Before you get started, review <\/em>the classification of data<\/em><\/a> within your organization and follow a <\/em>least privilege<\/em><\/a> administrative model (Consider migrating sensitive data to secure cloud services)<\/em><\/p>\n\n\n\n
Hardening NTLM<\/h2>\n\n\n\n
This step should be considered mandatory. NTLM is supported by Microsoft and is the fallback protocol suite when Kerberos isn\u2019t available. It\u2019s important to follow the hardening step below to to prevent downgrade attacks, and <\/em>only use NTLMv2 responses<\/em><\/a>. There are three categories of changes that you should work through prior to deploying domainless file sharing. They are:<\/p>\n\n\n\n
- \n
- PowerShell Commands<\/strong> to help to mitigate some of the vulnerabilities that have been discovered by security researched and documented<\/a> by Microsoft.<\/li>\n\n\n\n
- Conditional access <\/strong>to secure access to your internal network resources<\/li>\n\n\n\n
- Directory Insights <\/strong>to monitor access attempts for any irregularities<\/li>\n<\/ul>\n\n\n\n
Legacy versions of Windows Server (pre Windows 2008) may encounter compatibility issues with these commands. Roll back to the previous configuration in the event you need to recover previous registry key values. Please refer to Microsoft\u2019s documentation on NTLM before creating this workflow.<\/em><\/p>\n\n\n\n
Harden NTLM Using PowerShell <\/h3>\n\n\n\n
These commands will be executed to remote outdated password handling mechanisms within Windows. Please do not skip this step and use EDR to prevent rogue files from entering your shares.<\/p>\n\n\n\n
\n\n-Path ‘HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\’ -Name ‘LmCompatibilityLevel’\n\nNew-ItemProperty -Path ‘HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\’ -Name ‘LmCompatibilityLevel’ -Value 5 -Force\n\n<\/code>\n\n\n\nYou may also consider disabling WLAN for remote users only<\/em>. Disabling this on PCs have use WLAN for their proxy configuration on a LAN could disrupt internet access.<\/p>\n\n\n\n
\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc\\Start\nREG_DWORD4\n<\/code>\n\n\n\nConditional Access<\/h3>\n\n\n\n
JumpCloud\u2019s Device Trust<\/a> limits which devices may access applications and other resources through SSL\/TLS certificates. It\u2019s fundamental to conditional access<\/a>, which can further secure access to resources via geofencing and other measures such as requiring MFA. These features are included in the JumpCloud Platform Plus package. JumpCloud also provides policies<\/a> to ensure that Windows updates are applied and not delayed, which helps to ensure that any high-priority security patches are delivered to your Windows endpoints.<\/p>\n\n\n\n
Monitoring also helps to ensure that your configuration isn\u2019t being misused.<\/p>\n\n\n\n
Directory Insights<\/h3>\n\n\n\n
JumpCloud is a standard feature that Directory Insights<\/a> provides an audit trail of user logins so unauthorized attempts will be noticed and you\u2019ll be alerted. Directory Insights is a component of the platform and has no additional cost to access.<\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/9.1-1.png\")
<\/figure>\n\n\n\n![](\"https:\/\/embedwistia-a.akamaihd.net\/deliveries\/4078e792bb55cfd13ab662b297b795a6.jpg?image_play_button_size=2x&image_crop_resized=640x360&image_play_button=1&image_play_button_color=41c8c6e0\")
<\/a><\/p>IT Garage- Domainless File Sharing – jumpcloud-1<\/a><\/p>\n\n\n\n
Try JumpCloud<\/h2>\n\n\n\n
Domainless Windows file sharing is possible with JumpCloud using Integrated Windows Authentication (IWA). JumpCloud is free<\/a> for your first 10 devices and users with complimentary access to premium support 24x7x365 during the initial 10 days of your signup.<\/p>\n\n\n\n
- Conditional access <\/strong>to secure access to your internal network resources<\/li>\n\n\n\n
- PowerShell Commands<\/strong> to help to mitigate some of the vulnerabilities that have been discovered by security researched and documented<\/a> by Microsoft.<\/li>\n\n\n\n
- Create a share for this folder<\/a>: (Note: We chose to use the same FileShareUsers group for this share and to give it FullAccess; the documentation shows how this can be changed.)<\/li>\n<\/ol>\n\n\n\n
- Create a folder<\/a>:<\/li>\n<\/ol>\n\n\n\n
- Add users to the local group<\/a>: (after the user was created in JumpCloud)<\/li>\n<\/ol>\n\n\n\n
- Create a local group<\/a>:<\/li>\n<\/ol>\n\n\n\n
- Have a local file server\n